Skip to main content
Version: Next

How to use HTTPS

HTTPS

For users choosing OAuth 2.0 as the authentication method, it is recommended to use HTTPS instead of HTTP. HTTPS encrypts the request headers, offering better protection against smuggling attacks.

Note that Gravitino cannot simultaneously support both HTTP and HTTPS within a single server instance. If HTTPS is enabled, Gravitino will no longer provide HTTP service.

Currently, both the Gravitino server and Iceberg REST service can configure and support HTTPS.

Apache Gravitino server's configuration

Configuration itemDescriptionDefault valueRequiredSince version
gravitino.server.webserver.enableHttpsEnables HTTPS.falseNo0.3.0
gravitino.server.webserver.httpsPortThe HTTPS port number of the Jetty web server.8433No0.3.0
gravitino.server.webserver.keyStorePathPath to the key store file.(none)Yes if use HTTPS0.3.0
gravitino.server.webserver.keyStorePasswordPassword to the key store.(none)Yes if use HTTPS0.3.0
gravitino.server.webserver.keyStoreTypeThe type to the key store.JKSNo0.3.0
gravitino.server.webserver.managerPasswordManager password to the key store.(none)Yes if use HTTPS0.3.0
gravitino.server.webserver.tlsProtocolTLS protocol to use. The JVM must support the TLS protocol to use.(none)No0.3.0
gravitino.server.webserver.enableCipherAlgorithmsThe collection of enabled cipher algorithms.'' (empty string)No0.3.0
gravitino.server.webserver.enableClientAuthEnables the authentication of the client.falseNo0.3.0
gravitino.server.webserver.trustStorePathPath to the trust store file.(none)Yes if use HTTPS and the authentication of client0.3.0
gravitino.server.webserver.trustStorePasswordPassword to the trust store.(none)Yes if use HTTPS and the authentication of client0.3.0
gravitino.server.webserver.trustStoreTypeThe type to the trust store.JKSNo0.3.0

Apache Iceberg REST service's configuration

Configuration itemDescriptionDefault valueRequiredSince version
gravitino.iceberg-rest.enableHttpsEnables HTTPS.falseNo0.3.0
gravitino.iceberg-rest.httpsPortThe HTTPS port number of the Jetty web server.9433No0.3.0
gravitino.iceberg-rest.keyStorePathPath to the key store file.(none)Yes if use HTTPS0.3.0
gravitino.iceberg-rest.keyStorePasswordPassword to the key store.(none)Yes if use HTTPS0.3.0
gravitino.iceberg-rest.keyStoreTypeThe type to the key store.JKSNo0.3.0
gravitino.iceberg-rest.managerPasswordManager password to the key store.(none)Yes if use HTTPS0.3.0
gravitino.iceberg-rest.tlsProtocolTLS protocol to use. The JVM must support the TLS protocol to use.(none)No0.3.0
gravitino.iceberg-rest.enableCipherAlgorithmsThe collection of enabled cipher algorithms.'' (empty string)No0.3.0
gravitino.iceberg-rest.enableClientAuthEnables the authentication of the client.falseNo0.3.0
gravitino.iceberg-rest.trustStorePathPath to the trust store file.(none)Yes if use HTTPS and the authentication of client0.3.0
gravitino.iceberg-rest.trustStorePasswordPassword to the trust store.(none)Yes if use HTTPS and the authentication of client0.3.0
gravitino.iceberg-rest.trustStoreTypeThe type to the trust store.JKSNo0.3.0

Refer to the "Additional JSSE Standard Names" section of the Java security guide for the list of protocols related to tlsProtocol. You can find the list of tlsProtocol values for Java 8 in this document.

Refer to the "Additional JSSE Standard Names" section of the Java security guide for the list of protocols related to tlsProtocol. You can find the list of enableCipherAlgorithms values for Java 8 in this document.

Example

You can follow the steps to set up an HTTPS server.

  1. Prerequisite
    • You need to install the JDK8, wget, and set the environment JAVA_HOME.
    • If you want to use the command curl to request the Gravitino server, you should install openSSL.
  2. Generate the key store
cd $JAVA_HOME
bin/keytool -genkeypair -alias localhost \
-keyalg RSA -keysize 4096 -keypass localhost \
-sigalg SHA256withRSA \
-keystore localhost.jks -storetype JKS -storepass localhost \
-dname "cn=localhost,ou=localhost,o=localhost,l=beijing,st=beijing,c=cn" \
-validity 36500
  1. Generate the certificate
bin/keytool -export -alias localhost -keystore localhost.jks -file  localhost.crt -storepass localhost
  1. Import the certificate
bin/keytool -import -alias localhost -keystore jre/lib/security/cacerts -file localhost.crt -storepass changeit -noprompt
  1. You can refer to the Configurations and append the configuration to the conf/gravitino.conf. Configuration doesn't support resolving environment variables, so you should replace ${JAVA_HOME} with the actual value. Then, You can start the Gravitino server.
gravitino.server.webserver.host = localhost
gravitino.server.webserver.enableHttps = true
gravitino.server.webserver.keyStorePath = ${JAVA_HOME}/localhost.jks
gravitino.server.webserver.keyStorePassword = localhost
gravitino.server.webserver.managerPassword = localhost
  1. Request the Gravitino server
  • If you use Java, you can copy the code below to a file named Main.java
import org.apache.gravitino.client.GravitinoClient;
import org.apache.gravitino.client.GravitinoVersion;

public class Main {
public static void main(String[] args) {
String uri = "https://localhost:8433";
GravitinoClient client = GravitinoClient.builder(uri).withMetalake("metalake").build();
GravitinoVersion gravitinoVersion = client.getVersion();
System.out.println(gravitinoVersion);
}
}
  • If you want to use the command curl, you can follow the commands:
openssl x509 -inform der -in $JAVA_HOME/localhost.crt -out certificate.pem
curl -v -X GET --cacert ./certificate.pem -H "Accept: application/vnd.gravitino.v1+json" -H "Content-Type: application/json" https://localhost:8433/api/version